(This is a re-post. Tenable support kicked my ticket (BFP-98828-930) to the curb, so I figured I'd ask one last time here... C'mon you @tenablesecurity.com folks, help a fella out...) I wrote a plugin (attached) to verify compliance with company standards regarding local users and groups (renaming admin, decoy accounts, group memberships, disabled accounts, etc.) I had no problem getting NASL to do what I wanted, with ONE exception:
I need to be able to use the local host SID and local group RIDs to retrieve the actual NAMEs of local groups. I can establish a session to the $IPC share, I can get the local group RIDs using NetUserGetLocalGroups(), I can an LSA handle with LsaOpenPolicy(), I can get the hex sid of the host from the KB, and I can convert the hex sid + group RID to a raw sid with hex2raw2(). If I comment out the hex host SID -> raw host SID + group RID -> raw group SID conversion, and then paste just the raw group sid from, say, smb_group_backup_op.nasl, my plugin converts the raw SID to a group name. The group in question is the local Users group. NetUserGetLocalGroups returns '545' for this group, which I assume is the RID. - John
24hr_local_01_accounts.nasl
Description: 24hr_local_01_accounts.nasl
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
